K3s on RHEL/CentOS/Oracle Linux
firewalld/fapolicyd
It is recommended to disable firewalld and fapolicyd:
systemctl disable firewalld --now
systemctl disable fapolicyd.servicenm-cloud-setup
If enabled, it is required to disable nm-cloud-setup and reboot the node:
systemctl disable nm-cloud-setup.service nm-cloud-setup.timer
rebootmake sure noexec is not used for dedicated rancher partition
If you are using a dedicated partition (/var/lib/rancher) to run K3s make sure to NOT have mounted it using noexec flag inside /etc/fstab file.
disable fips mode
If you have FIPS mode enabled is necessary to disable it otherwise some of our workloads running in K3s will crash at startup. To check if FIPS is enabled run:
sysctl crypto.fips_enabled
In order to disable, please refer to the instruction below:
fips-mode-setup --disable
Please visit this KB Article if you want to know more.
iptables
RHEL like systems have buggy version of iptables 1.8.4 which is causing issues with firewall, service routing and external network reachability as well as performance issues. It is required to configure k3s to use bundled version by modifying k3s service( same for k3s-agent service on worker nodes in HA deployments) file and adding --prefer-bundled-bin option to service’s cmd and restarting service.
~$ cat /etc/systemd/system/k3s.service
ExecStart=/usr/local/bin/k3s \
server \
'--node-name=local-01' \
'--prefer-bundled-bin' \
~$ sudo systemctl daemon-reload
~$ sudo systemctl stop k3s
~$ sudo systemctl start k3s
~$If this change is done on existing system reboot is recommended to clear duplicate iptables rules.
~$ sudo reboot More details can be found here - Known Issues | K3s.
Last updated
Was this helpful?